Imperva Cyber Community

Expand all | Collapse all

Kernel Reverse Proxy Deployment

  • 1.  Kernel Reverse Proxy Deployment

    Posted 08-07-2020 08:41
      |   view attached
    Good day,

    Is anybody here experience KRP deployment for on-premise WAF?
    We tried deploying KRP mode but we encountered an error for https traffic, no problem when using http. Attached is the error.
    Anyone here who can help?

    Thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Jessibel Millanes
    MLhuillier
    Cebu
    ------------------------------


  • 2.  RE: Kernel Reverse Proxy Deployment

    Community Manager
    Posted 08-07-2020 09:26
    @Jessibel Millanes

    Thank you for posting. From the description it sounds like you need to check to make sure all the required certificates have been loaded on the MX - this is required for SSL​You own the loading of the certs. The certs are application specific so only you can get the right cert from the application owner. 

    Here is one post that might be able to help. 
    How can I replace old SSL certificate to valid SSL certificate for MX ?

    Also, we have an entire section around Kernel Reverse Proxy. 
    Configuring Kernel Reverse Proxy and Apache Reverse Proxy on the Same Gateway
    Configuring Kernel Reverse Proxy Version 13.6


    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: Kernel Reverse Proxy Deployment

    Posted 08-09-2020 20:25
    Hi Christopher,

    Thank you for your response, I already loaded an SSL but same error.

    ------------------------------
    Jessibel Millanes
    MLhuillier
    Cebu
    ------------------------------



  • 4.  RE: Kernel Reverse Proxy Deployment

    Posted 08-10-2020 09:52
    Hi Jessibel,

    Try to reach website over https by removing KRP to check if website is up and running over HTTPS.

    Make sure you have KRP enabled, right alias selected. Try to curl webserver from gateway to check if gateways can reach webserver. 

    Thanks

    ------------------------------
    SC
    ------------------------------



  • 5.  RE: Kernel Reverse Proxy Deployment

    Posted 08-10-2020 20:39
    Hi Good Day,

    The website is accessible via https without passing through imperva, and when we try to integrate it to Imperva the error occured.
    KRP is already enabled. I just want to make a clarification with regards to alias, what I used for External address and Internal address is the same which is the gateway address. Am I doing the right thing?

    Thankful to anyone who can help.
    Thanks.

    ------------------------------
    Jessibel Millanes
    MLhuillier
    Cebu
    ------------------------------



  • 6.  RE: Kernel Reverse Proxy Deployment

    Posted 08-11-2020 08:59
    Hi,

    Same external and internal address should be fine. I think issue here is gateways are not able to reach backend webserver. Check your next hop route and whether it's reachable or not. Its under Setup->Gateway->Routes. 

    Thanks

    ------------------------------
    SC
    ------------------------------



  • 7.  RE: Kernel Reverse Proxy Deployment

    Posted 08-11-2020 20:32
    Hi Good Day,

    I can say that backend server is reachable since http service for the same website is accessible, but using https the site is unreachable. Also I was able to ping the server from Imperva.

    Thanks for the response.


    ------------------------------
    Jessibel Millanes
    MLhuillier
    Cebu
    ------------------------------



  • 8.  RE: Kernel Reverse Proxy Deployment

    Posted 08-27-2020 08:20
    Hi,

    Best to do in this case in to perform a tcpdump on the gateway, and analyze the capture externally.
    I recommend you to configure different error pages depending on the error you get. This one is too generic.
    If routing is fine and you have configured the aliases, check to make sure the encrypt ticket is checked on the reverse proxy configuration.

    Good luck

    ------------------------------
    Edvin Fiku
    S&T Albania
    ------------------------------